Warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

SYSTEM INFORMATION
OS type and version Debian Linux 12
Webmin version 2.111
Virtualmin version 7.10.0 Pro
Related packages Postfix, Sasld, Dovecot

Hi,
I have got heavy problems sending e-mails. i migrated from an Ubuntu 18.04 to a fresh installed Debian 12 Server. I googled a lot and read the virtualmin Docs and Forum. But nothing helped. All web findings are old, had a different setup or were just not helpful. I am very despareted right now.
Here is my problem: clients are not able to send e-mails.
journalctl shows that warnings:

connect from unknown[xx.xx.xx.xx]
May 26 15:20:05  postfix/smtpd[7134]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
May 26 15:20:05 postfix/smtpd[7134]: warning: connect to Milter service inet:localhost:8891: Connection refused
May 26 15:20:06  postfix/smtpd[7134]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

inet_interfaces = xxx.xxx.xxx.xxx
# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name 
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = marvin.mgc-server.eu
alias_maps = hash:/etc/aliases
mydestination = $myhostname, marvin.mgc-server.eu, localhost.mgc-server.eu, , localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 1024000000
recipient_delimiter = +
inet_protocols = all
mydomain = marvin.mgc-server.eu
mynetworks_style = subnet
allow_percent_hack = no
swap_bangpath = no
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
message_size_limit = 409600000
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
broken_sasl_auth_clients = yes
smtpd_tls_security_level = may
milter_default_action = accept
milter_protocol = 2
# smtpd_milters = inet:localhost:8891
# non_smtpd_milters = inet:localhost:8891
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtp_tls_security_level = dane
smtpd_sasl_auth_enable = yes
# smtp_sasl_auth_enable = yes
# smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891
# non_smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891
# non_smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891
# milter_default_action = accept
# milter_protocol = 2
# smtpd_milters = inet:127.0.0.1:8891
# non_smtpd_milters = inet:127.0.0.1:8891
# smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
# non_smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
# smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
# non_smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
#smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
#non_smtpd_milters = inet:127.0.0.1:8891,inet:localhost:8891 non_smtpd_milters = inet:127.0.0.1:8891
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,inet:localhost:8891
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,inet:localhost:8891
queue_directory = /var/spool/postfix/var/run/opendkim
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtputf8_enable = no
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_dependent_default_transport_maps
smtpd_soft_error_limit = 15

/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp	inet	n	-	-	-	-	smtpd -o smtpd_sasl_auth_enable=yes
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps	inet	n	-	-	-	-	smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
autotransition:true

testsaslauthd works

testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u xxxx -p xxxx
0: OK "Success."

maybe i misconfigured something…
Any suggestions?

regards,
slarti

smtp_tls_security_level try setting this to may

Can you send?

Can you receive?

i only can receive.

I am not at my computer but I have just finished my email server setup and had a lot of issues on the way. Goods news, I did loads of notes.

Quantumwarp.com , search for virtualmin notes, then look for email diagnostics and the install section at the bottom where I do my server setup.

But try that may setting first

And check your SSL cert is valid and installed.

Doesn’t help ;-(
i’ll follow your links and read

He has a permission denied error connecting to the saslauthd server, perhaps that need fixing before messing with postfix configuration, in fact everything that postfix tries to connect to is erroring so get that straight before adding random stuff to postfix config files without working out why

in my /etc/postfix/sasl/smtpd.conf

image

this might be the issue.

Did you just copy the config files from your old server? I am on Ubuntu Minimal server.

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.4
Webmin version 2.111
Usermin version 2.010
Virtualmin version 7.10.0
Theme version 21.10
Package updates 85 package updates are available

i had this before. But then i get this:

postfix/smtpd[75767]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
May 26 20:02:54  postfix/smtpd[75767]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

i used the virtualmin Backups like described here:“How to Migrate to a New Server” from Documentation

You migrated from a virtualmin server to another server or did you migrate from some other panel ?

systemctl status saslauthd.service 
● saslauthd.service - LSB: saslauthd startup script
     Loaded: loaded (/etc/init.d/saslauthd; generated)
     Active: active (running) since Sun 2024-05-26 20:02:21 CEST; 6min ago
       Docs: man:systemd-sysv-generator(8)
    Process: 75403 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
      Tasks: 5 (limit: 76990)
     Memory: 2.9M
        CPU: 28ms
     CGroup: /system.slice/saslauthd.service
             ├─75423 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
             ├─75424 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
             ├─75425 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
             ├─75426 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
             └─75427 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5

May 26 20:02:21  systemd[1]: Starting saslauthd.service - LSB: saslauthd startup script...
May 26 20:02:21  saslauthd[75423]:                 : master pid is: 75423
May 26 20:02:21  saslauthd[75423]:                 : listening on socket: /var/spool/postfix/var/run/saslauthd/mux
May 26 20:02:21  saslauthd[75403]: Starting SASL Authentication Daemon: saslauthd.
May 26 20:02:21  systemd[1]: Started saslauthd.service - LSB: saslauthd startup script.

But saslauthd is still listening on that socket.

i migrated from Ubuntu 18.04 Virtualmin 7.10.0gpl to freshly installed Debian 12 Virtualmin 7.10.0Pro

I don’t think there would be any harm just removing those lines and see what happens?

And Stop start postfix and sasl service

P.s. I m a windows guy.

i tried 15min ago.

no problem for me… :wink:

ok I see a slight difference


my startup has done added yours does not

Do you think it is the “…done”?

Maybe for whatever reason the server is not being able to connect to the socket. I had the same issue upgrading (not migrating) from ubuntu 22.04 to 24.04. I am still working out why the permissons are wrong to the socket. On reboot the permissions are reset but with a running vps i can change the permissons, and saslauthd starts up correctly. Note these are my notes on upgrading ubuntu 22.04 to 24.04 the problem looks the same but the cause may very well be different

What is a “vps”? Sorry for that (stupid) question, i read always only “vps” but nowhere what it mean…

VPS = virtual private server

Basicaly an emulated pc in a software container in a server centre. Multiple VPS share the same hardware.

Often on here people will refer to your pc as a VPS. It does not really matter for virtualmin except for Internet routing.

A dedicated server is where you have physical hardware only for you. Basicaly a pc in a server centre just for you.

Ah, ok. Know it as virtual machine.(vm)

Do you have more suggestions for me an my problem?
I read your virtualmin notes (which are very excellent!!), but didn’t find any hints for me.

I think postfix cannot SASL authenticate because it does not know where to look.

I don’t know why your SMTP.conf is different to mine, but it is a difference. I am not sure if this is a Debian/Ubuntu thing.

Your restriction policies look good except defer Auth twice but this won’t break anything.

You have manually tested SASL and it works

Incoming email does not require SASL and email is getting received so postfix is fine.

Did you copy any of config files from your old server?